Bonum Certa Men Certa

Let's Encrypt is Garbage, Albeit It's Disguised as 'Free' Privacy

Earlier this year (an unexplained incident, still): Techrights Urges Readers to Ask the Linux Foundation's Let's Encrypt (Backed by Companies That Give the NSA Back Doors) Some Hard But Legitimate Questions

Let's Encrypt address

Let's Encrypt LF connection

Let's Encrypt and LF

The signature for Let's Encrypt

Source: The latest-available IRS filing. See the IRS filing in full [PDF] for a lot more.

Summary: The 'Linux' Foundation in 'privacy' clothing is more like a monopoly disguised as non-profit while taking money from monopolies (to do their biddings in the most surveillance-intensive country in the entire world)

Yesterday we asserted (and then explained why) today's Linux Foundation -- or LF for short (one way to avoid the misleading name) -- works for monopolies, not Linux. It uses the "Linux" brand to market itself.



One thing that came from LF is a CA that issues loads and loads of certificates which expire after 3 months.

"The aspect nobody wishes to talk about is that the Let's Encrypt monopoly is reinforcing monopoly and monopolies (Let's Encrypt itself is fast becoming a monopoly and it helps large companies further monpolise and thus centralise the Web)."Look who backs this. Look who funds this. Look where the code is hosted (proprietary Microsoft GitHub). Even the site itself is outsourced to proprietary Microsoft GitHub...

Let's Encrypt is partly funded by Microsoft/GitHub and various other unsavoury companies notorious for their back doors (we can name more than a handful).

So much for security, considering how close Microsoft and the NSA have long been.

But that's not the point. That's not the most important thing.

The aspect nobody wishes to talk about is that the Let's Encrypt monopoly is reinforcing monopoly and monopolies (Let's Encrypt itself is fast becoming a monopoly and it helps large companies further monpolise and thus centralise the Web).

It may sound peculiar at first, but considering the FIDO situation we've seen it elsewhere as well. Much power can be gained -- sometimes money follows -- by making oneself the de facto standard. Then abuse and chaos may ensue, as monopolies need not compete and appease/please anyboby.

Yesterday the Let's Encrypt site published a blog post which bears a rather meaningless if not misleading headline (because a suitable headline would likely upset people right from the get-go).

Put in simple terms, sites that adopt HTTPS with the 'free' (so-called, hence scare quotes) Let's Encrypt will become inaccessible to a lot of visitors. In the name of fake 'privacy', which does nothing about spying at the endpoints (like data sales to brokers). People who think HTTPS 'means privacy' should remind themselves that companies like Facebook -- a Let's Encrypt sponsor -- use HTTPS and it does nothing to prevent Facebook from assaulting privacy like Microsoft assaults love itself. HTTPS helps secure things not at the endpoints but during transit.

LWN's headline was vastly more informative than the waffle from Let's Encrypt and it said:

Fallout from upcoming Let's Encrypt certificate changes



As described in this Let's Encrypt blog entry, certificates issued by Let's Encrypt will soon be signed solely by that organization's own root certificate, which is accepted by all modern browsers. There is one little catch, though: versions of Android prior to 7.1.1 (released in late 2016) do not recognize that certificate and will start throwing errors. "Currently, 66.2% of Android devices are running version 7.1 or above. The remaining 33.8% of Android devices will eventually start getting certificate errors when users visit sites that have a Let’s Encrypt certificate. In our communications with large integrators, we have found that this represents around 1-5% of traffic to their sites." There appears to be little to be done about this problem other than to encourage owners of older Android devices to install Firefox.


It quotes part of what Jacob Hoffman-Andrews said, followed by: "Hopefully these numbers will be lower by the time DST Root X3 expires next year, but the change may not be very significant."

Next year?

Let's Encrypt moneyJust one year? Hardly anything would change by then. See the comments in LWN. One person said: "Rooting old phones requires erasing them. I'd hazard that the users of those phones would be cautious about that (data loss), as opposed to current phones (loss of access to baking and game apps)."

They're pushing people to buy new so-called 'phones' (spying devices). And further down it says: "Plausibly deniable way to send users up the upgrade treadmill. C'mon, Android users! Throw away your devices, again!"

Why would anyone wish to turn away users in the name of fake 'privacy' or dubious levels of confidentiality? If the Let's Encrypt folks somehow hand over keys to the government (e.g. under Trump NSLs), then what good is it really? It not only helps monopolies but also militant empires.

Let's Encrypt may claim to be a liberating and democratising force, but that's assuming it does what it says on the tin.

An encrypted systems specialist elaborated on this. "Trust should only exist between the provider of data and the consumer," he said to us. "Any other third party introduced into the system is an attack against privacy, security, and autonomy. Don't let quacks convince you otherwise."

"The discussion should lead the user to devices and browsers that let them have a local list of public keys they trust. That's the basic function of TLS anyways. The concept of a CA needs to be binned altogether. You can still trust certs yourself on Firefox. Just ignore the browser warnings."

He added that "what [we] should tell users is to start trusting self-signed certificates in favour of certs provided by CAs. Let's Encrypt is a vehicle for maintaining the trust monopoly. It's free so people blindly just use it, without realising they're just further entrenching the trust monopoly. Anyone can generate TLS certs with openssl (or even more secure libressl; libressl is by the OpenBSD team. It's the best TLS software around. There's nothing magical about TLS certificates. If someone has something like WordPress, you can just use libressl to generate your own certs and then put a banner on the top of your info page on your website asking users to trust whichever cert you generated and hasn't expired [and] what we really need in a truly security-and-privacy respecting Web browser is one that rejects all TLS certificates by default and only accepts certs the user agrees to accept. Right now the situation is the opposite of what it should be. Users have monopolised "trust providers" dictate which certs they accept. Kind of how you do when you set up SSH. You block all public keys by default and only allow ones you trust yourself. And you, the user, have full control of your trust system. Delegation of trust mechanisms to third parties is flagrant stupidity in any security system. In summary: right now you, the user, have a dictator ordering you whom you can and cannot trust. This is absurd. Your devices and software shouldn't stop functioning when you want to take back control over your trust. The current system is a dictatorship of CAs forcing people to give up control over their trust (and by extension, their security and privacy). These are abuses against articles 12 and 19 of the Universal Declaration of Human Rights."

Don't forget that Let's Encrypt is US-based and monopolies-backed. They're not a charity, not a nonprofit either. They have motivations that aren't altruistic and we know who pays the salaries (not friends and allies of privacy, sometimes foes of it). They call themselves "[a] nonprofit Certificate Authority providing TLS certificates to 225 million websites." The Linux Foundation also calls itself "nonprofit", but we know that's a lie.

The encrypted systems specialist said he "[had] forgot[ten] to mention one other big point. The fact you can't block CAs in your browser and certain certificates is evidence enough of the malice behind the design and implementation of the web today."

The incidents of March (earlier this year) could be seen as an eye-opener. They never bothered explaining why they had issued millions of bad certificates, which they later revoked; they didn't explain what actually caused this incident and what was done about it.

As a side note, the SELinux project of Red Hat (now IBM) used to issue monthly declarations about no government interventions/involvement. Those stopped years ago. What is it they say about canaries?

"I have never seen any letsencrypt documentation say they have canaries," oiaohm wrote this morning, "and if you know USA law on the matter canaries is basically false. One of the USA encrypted email systems that is shutdown now had canaries and when the NSA with NSL stepped in they were forbid from using them. So their end users knew nothing."

A lot more discussion regarding this issue can be found in tomorrow's IRC logs.

Comments

Recent Techrights' Posts

[Meme] Patent Monopolies as Bribes at the European Patent Office (EPO)
bloggers who report crime are being threatened with lawsuits by several law firms hired by the EPO to cover up crimes
New EPO Letter Expressing Concerns About EPO Violating Its Charter, Clearly Violating Rules (Possibly Bribing Siemens With Monopolies) and Granting Loads of Fake Patents to Make More Money
Why does the EU tolerate the EPO's crimes and how much longer will this go on for?
[Meme] EPO 'Hush Money' to Companies That Point Out EPO Breaks the Rules
A bribed doorman: "We have patent examiners, but if you say the right words, we'll bypass them for you"
Certificate Authorities (CAs) Are Serving the Authorities, Not You
The centralised CAs "model" is not working
Rage in the Propaganda Machine
There has never been a better time to quit social control media
The Free Software Movement Must Not Assume That Truth and Science Always Win
Sometimes the bad people and the liars get ahead
Peter Eckersley and 'Afterlife'
It's better to look after one's health at present than to pursue all sorts of perceived 'insurance' policies
Terms of Service (TOS) Under Scrutiny - Part XV - "Zoom's terms of service change sparks worries over AI uses" (and More)
Then they wonder why users get all grumpy?
IBM is Cutting - Almost in Half - Its Office Space in Austin, So Expect Many Layoffs (RAs)
IBM reduces office space by 187,00 square feet or 37%
IRC Proceedings: Saturday, September 07, 2024
IRC logs for Saturday, September 07, 2024
They Used to Say Avoid Nginx (or NGINX) Because It's Russian. Now You Can Say Avoid It Because It's Microsoft.
Thankfully we quit using NGINX when we shut down our HTTP proxy for Gemini
Instead of Telegram People Should Use Free Software (Telegram Was Always Unsafe for Use)
"Modern" so-called 'smart' 'phones' are compromised at the OS level or baseband side
 
On Losing the Job at Google After Talking About Committing Acts of Violence Against Colleagues
We still have a highly toxic element in our community that goes to public conferences in search of sex
NIST is Threatening to Sue You With Patents on Mathematics (That Aren't Even Legal in the First Place) If They Don't Like You
They're asserting monopolies on mathematics
Gemini Links 08/09/2024: WebDAV, OpenBSD, Pocket Reform, and More
Links for the day
Links 08/09/2024: Super Typhoon and Lots of Climate Journalism
Links for the day
Terms of Service (TOS) Under Scrutiny - Part XVI - When Radio is No Longer "Read-Only" (Listening Mode) Because Someone Listens and Sells Your Data
Who would want to put up with this?
redhat.com is Promoting Revisionism and Lies Regarding the Origin of the Term "Open Source"
debunked many times before
Software Patents Against GNU/Linux Again
Patent extortion against OpenShift and Red Hat Enterprise Linux
Over at Tux Machines...
GNU/Linux news for the past day
Gemini Links 07/09/2024: Self Hosting (Not "CLOUD") and Site Reliability Engineering
Links for the day
The Arrest of Pavel Durov is Changing Telegram
Remember that Telegram's founder, who is also French, cannot leave France until he satisfies those who detained him
The Growth of GNU/Linux is Now a Mainstream Topic With Widespread Awareness
We can do less counting (of baskets and eggs) and more advocacy
Techrights is a Demonstrably Popular Site, Reporting Suppressed Facts. Those Vouching for Its 'Unpopularity' Express a Desire Rather Than a Condition or a Fact.
Our 100% source protection record will hold up
John Pilger's Site Relaunches, Wikileaks' Site Has Not Been Updated in Years
We have long hoped that, more so after the release of Assange, Wikileaks will have some kind of "relaunch" or recovery
A Terms of Service (TOS) Notion of "Consent"
We're well past the true notion of real consent
Terms of Service (TOS) Under Scrutiny - Part XIV - Zoom the Beast
breakdown of the Zoom TOS and corresponding privacy statement
Links 07/09/2024: Qualcomm May Buy Parts of Intel, YouTube Deletes Channels for the US Government
Links for the day
No, Mastodon is Not Growing, Social Control Media is Generally Waning
Our sister site pulled the plug on the whole thing over a year ago, seeing it was mostly a source of online abuse
A Loss for Fake Security, a Win for Net Autonomy
Crucifixion of domains has been ramping up this past week; it's a cautionary signal
Links 07/09/2024: UK Police Raid Journalist's Home, Epoch Times Setbacks, and Karma
Links for the day
FSFE: Donate to Us to Co-Fund With Microsoft the Unpaid Underage Labour, YH4F
Latest from FSFE
Links 07/09/2024: China's Financial "Bond" to Africa and Attempts to Postpone Trump Criminal Cases
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, September 06, 2024
IRC logs for Friday, September 06, 2024
linuxsecurity.com is Still Spamming the Web
This is not harmless to Linux and it definitely merits a shun
Gemini Links 07/09/2024: Freedom in Bareness, Reactions in Addictive Social Control Media
Links for the day
Why We Are Suing Matthew J. Garrett for Harassment and Why It's Important to Everybody in the Community
There's a limit to how much abuse to me and to my family I can tolerate for the act of merely reporting on corporate corruption
[Meme] Confused Michael
Teaser...
Links 06/09/2024: Censorship of Sites by US, Hype Around LLMs Noted
Links for the day
[Meme] Hijacking the Brands
"Linux? Ah, you mean Microsoft!"
Google: We Help Combat What We Are Guilty of
The search itself is a conflict of interest
Linux Foundation Technical Advisory Board Has Election, But Google is Already Guaranteed Over 33.3% of the Seats ('Reserved' for It)
It has too much power/influence and it looks like a stacked panel
[Video] Theodore Ts'o Says How He Brought Linux to the United States (MIT) and What Makes Linux Leadership Effective
Microsofters keep attacking him
Layoffs Are Healthy and Not Happening
Good news for a change?
[Meme] Trickle-Down Ponzi Scheme
Where does money actually come from?
Considering Microsoft's Totally Fake Finances It Too is at Risk of Being Delisted From the Dow Jones Industrial Average and Other Indexes (NASDAQ, S and P) in the Near Future
Microsoft and Apple both had many layoffs this year
Asking Ourselves What Topics to Strategically Focus on
A lot of the tech media - if not "mainstream" media too - is already covering the growth of GNU/Linux
Media Needs to Stop Asking If "AI" is Just Hype (It Is, It's Not a Question)
The media should stop asking if the "AI" thing is bubble about to pop
Lots of GNU/Linux Detected in Palau and Windows Falls to New All-Time Low (14%)
Windows is falling further
Gemini Links 06/09/2024: Degoogling, LLMs, and ROOPHLOCH
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, September 05, 2024
IRC logs for Thursday, September 05, 2024